ISP Closes Webmail After Spammers Get Addresses

An anonymous reader writes "Error prone British ISP PlusNet, who you might remember for accidentally deleting 700GB of customer's e-mail last year, have done it again with a major security gaffe. Their webmail service was compromised this week, and spammers got hold of customers' e-mail addresses who they've been happily spamming away ever since. They've since made the decision to close their webmail service, in the ultimate admission of incompetence for the now BT owned ISP. In an e-mail to their customers, Network director Phil Webb goes on to recommend that their customers install security software, along with telling them that they shouldn't call up to complain. One might suggest that they need to practice what they preach."

Erm ?

Oh well who needs email anyway ?

Re:Erm ?

Old people. In Korea.

Not surprising

Not all that surprising, this is a company whose account password policy is 5-8 characters, all lower case, no non-alphanumeric characters. I've been with plus.net for ages, they seemed fantastic after my truly awful experiences with Demon, but they've been much worse recently - they broke routing recently so that I couldn't connect to my work VPN for days. Anybody recommend any other decent UK ISPs? I hear good things about Pipex.

The same Freedom2Surf that were bought by PIPEX?

PIPEX are looking to be bought out. Maybe by tiscali. [freedom2support.net]

Get a real ISP, like Black Cat Networks [blackcatnetworks.co.uk] or Andrews and Arnold Ltd [aaisp.net]. Alternatively, UKFSN [ukfsn.org] (an Enta.net reseller) are pretty good, if you're tighter around the pocket.

[Captcha: protests]

Waiter, Can I have the bill please?

Honestly, if this happened to me, not only would I feel it my right to complain but to also seek out a new ISP.

Nothing completely short of complete incompetence!

They sent an email to their customers?!

Their webmail service was compromised this week, and spammers got hold of customers' e-mail addresses who they've been happily spamming away ever since. They've since made the decision to close their webmail service, in the ultimate admission of incompetence for the now BT owned ISP. In an e-mail to their customers...

It's unlikely they'll actually be able to read this email given the fact that they're now drowning in spam...

Lost emails

I always worry about this. I use my gmail account as a sort of backup, just in case my laptop decides to fail. And I also keep loads of emails there with important information I may need later. I treat it as my safety net, but what if this was to happen? I understand that google and this ISP are probably years apart (as far as security and technology), but it still makes you wonder. Now I feel like making a backup on a thumbdrive, saving it on a dvd-r, etc.

units, people, watch your units.

"700 Gb" does not seem much (divide by gmail box size and you get the number of 200 maxed out beefy gmail users), because it is an idiotic measure of stolen goods. "X raped whopping 500 women pounds", "Y stole 4500 banknotes from the bank", "Z trespassed 100 feet of my property".

Reminds me of the Russian cartoon for kids, where different animals measure their sizes relative to the sizes of other animals, and in the end the Python says "I am much longer in Kakadoo than in Elephants".

Security software

Network director Phil Webb goes on to recommend that their customers install security software, along with telling them that they shouldn't call up to complain. One might suggest that they need to practice what they preach."

A few comments:

1. They almost certainly were using security software. The problem is that it is awfully difficult to judge effective security software from the much more common snake oil that is out there.
2. There is a decent chance that the breach was not the fault of the security software but some kind of human error. They probably made the common mistake of assuming all they had to do was install firewall, intrusion detection and anti-malware tools and they were magically fully protected.
3. This kind of event will probably become commonplace. There is a lot of money to be made, the crackers are technically more competent than much of the sysadmin community, and they only need to attack at the weakest points.

Enough

Well if it's not incompetence that mars PlusNet's service then it's deception. Over the last couple of years customers have had to endure blatent throttling of P2P and caps on bandwidth, the closure of their binary Usenet service and customers being banned from their forums for daring to criticise them.

I can only blame myself for staying for so long. My previous ISP provided an excellent service but was far more expensive. As always, you get what you pay for.

This is *not* a solution!

From PlusNet's letter:
In the meantime, if you use Webmail to check your PlusNet email from your own PC, you might find it more convenient to use an email program which runs on your PC instead.

So let me get this straight: PlusNet's closing down the WebMail service, but leaves the main e-mail server running, so

(1) the spam still comes in to the e-mail addresses
(2) users now cannot access via their Internet Browser and must use an e-mail client which may not filter spam as well (or sometimes at all)

Brilliant!
Who's running this company -- Moe, Larry, or Curly?

I understand other BT costumers aren't happy...

Like, um...this guy [youtube.com].

Data Protection Act?

Customers of this ISP may want to check to see if they can take action against them under the data protection act.
in particular, the sections:
"Personal data should be securely kept, and not transferred to any other country without adequate protection."
and
"Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."

( http://en.wikipedia.org/wiki/Data_Protection_Act [wikipedia.org] )

Re:let me get this straight...

0845 is _NOT_ local rate...
It is LO-CALL rate, which is a revenue sharing service. It is charged at the same cost local rate calls used to be in the early 90s, and it is always charged by the minute regardless of your phone service plan. Also, inclusive minutes usually don't count for calls to 0845 numbers.
BT charge a flat rate of 5p for a 1 hour national landline call at evenings and weekends on their lowest call plan, a 1 hour evening or weekend call to an 0845 number would cost 120p evenings and 60p weekends. BT's higher calling plans (options 2 and 3) charge you nothing for the first 60 minutes to a national number at evenings or weekends (again 0845 arent included) and in the case of option 3, also during the day.

What's worse is, a share of the call revenue goes to the company operating the number (which is why BT can't offer free calls to 0845) which gives these companies an incentive to keep you on hold.
In essence, 0845 really is premium rate. It may be a lower per-minute cost than 09 premium rate numbers, but it works in just the same way.

We can just blame this on sysadmins ...

We can just blame this on sysadmins that don't want to work at underpaying jobs with bad managers that don't give any respect and corporate executives that don't really give a damn about quality of service.

So who else uses @mail?

According to Plusnet the problems were exploited before being known about publicly and the leak of email addresses is "not possible to patch". If this is true, then it's rather less of a faux pas than some of their previous problems. Having had the pleasure of dealing with Plus customer support a few times over the last few months I'd be interested to see some corroboration of what the problems actually were from elsewhere, rather than just taking their word for it, though.

The bigger question is who is else using @mail externally out there and if Plus are right, why? Have @mail said anything about the problem? I'm assuming we're talking about these people - http://atmail.com/ [atmail.com] - but there seems to be nothing obvious on their site.

Talk to Mumbai

I'm sure the eager and well paid sysadmins in Mumbai and Bangalore will get right on that problem.

You have to admire the British

in the ultimate admission of incompetence

Personally, I think the British have an admirable demeanor in the face of adversity or even outright defeat, as compared to the US for example. Stiff upper lip, all that stuff. Surely it's better to admit incompetence than not? Then again, maybe it's just our (American) culture of denial that annoys me.

Useless bunch of idiots

I cancelled months ago, and was still hit by the problem. Luckily, since I always sign up with unique addresses, the one in question is now forwarded to abuse@plus.net , and they can deal with the damage.

say what now?

Their webmail service was compromised this week, and spammers got hold of customers' e-mail addresses who they've been happily spamming away ever since.

yeesh, What the hell is that sentence supposed to mean?
Aside from the grammatical problems, what does the author mean by "spammers got hold of customers' e-mail addresses"? Do they actually mean that spammers aquired login access to email accounts?

oh, and no, I don't feel like reading the fine article.

Not just affecting PlusNet customers

Have you noticed a sudden increase in spam since 13 May, perhaps on previously spam-free addresses?

This might have affected you even if you're not a PlusNet customer. I use them as my ISP, but I host my email on a different server, so my details weren't compromised. Or so I thought. Turns out that address books and customer correspondence were stolen as well as PlusNet's email database, so if you've ever corresponded with someone@username.plus.com, your address could have been nicked along with theirs.

Now several of my previously spam-free addresses have started giving me investment and health advice. Not impressed >:o[

ISPs must be given an economic incentive to put their customers' privacy first if cases like this are to be prevented in future. I'll be voting with my wallet as soon as I can. I hope a large number of similarly affected people join me, and let this be remembered by all /.ers when next you consider a switch.

(More details on my blog.) [richardskingdom.net]

How your post reads - at a first glance

Why should we expect anything more than incompetence from shelleytherepublican.com? They probably run the inferior shelleytherepublican.com software anyway. Their lack of morals and shelleytherepublican.com is something only satanist democ-rats and shelleytherepublican.com could empathize with.

While their Great Leader, shelleytherepublican.com, was in power, we could trust our oldest allies to loyally support our victory against the Iraqis, but alas, no more. I believe the only real solution is to liberate this backward nation, before it becomes a threat to our shelleytherepublican.com and forces us to use communist European shelleytherepublican.com.

(With special thanks to the /. auto-linking URL system)

Re:Typical Limey Incompetence

I wish I had some mod points left, that was brilliant! Inspired! Good one :-)
(who marked this troll? sort out your humour dude)

Re:Typical Limey Incompetence

Totally off topic, but that site was hilarious!!!!! Recommend having a look :p
Teasers:

Fact File: What is a Kernel? This component is used for typing in simple commands like "dir" and "more". Windows has a component called "cmd.exe" which serves a similar purpose but comes with better commands. Windows programmers often use a modern graphical user interface in preference to a kernel, however Linux users do not have this luxuary.

Fact File: What is source code? Old computer programs were distributed as source-code on magnetic tape. This is an obsolete way to distribute software that was used before the availablity of the more convenient "Binary" format. Even today, some programs (such as those written by GNU) are released as source code only. Perversely, this is to prevent the software from being used outside the fraternity of computer hackers.

:D :D :D :D :D